Re: HOWTO: How to remove VX2 spyware (the latest and worst versions)
- From: NoStop <nostop@xxxxxxxxxx>
- Date: Tue, 13 Dec 2005 19:20:30 -0800
On Tuesday 13 December 2005 02:35 pm, dude had this to say in
microsoft.public.windowsxp.general:
> Hi,
>
> A friend of mine got infected with a variant of VX2 spyware because
> some idiot administrator at their work ordered that they don't install
> SP2 or any other updates.
>
> This particular flavor of VX2 that he got is extremely difficult to
> remove. NONE of the anti-spyware programs could remove it on their own.
> AdAware WITH the VX2 Cleaner plug-in also said that it's a new variant
> that it can't do anything about.
>
> After about 3 hours of analysis, I found a way to remove it. It's
> pretty difficult for a normal user.
>
> 1. Clean all spyware that normal tools like AdAware and Search&Destroy
> can clean.
>
> 2. Download "HijackThis", run it and click "Do a system scan only"
>
> 3. Under "Winlogon Notify" in the list that HijackThis produces, you
> will find a DLL file in windows\system32 with a random name, such as
> t85r03194w.dll. WRITE IT DOWN. Close HijackThis.
>
> 4. Open regedit. Go to
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
> Extensions\Approved
>
> 5. On the right hand side, look for an item that has something in the
> "Name" column but NO DATA on the right (in the "Data" column). There's
> normally only one shell extension like that, for VX2. Click that item,
> press F2, Ctrl+C, Esc (to copy the GUID).
>
> 6. Go to My Computer in regedit, and press Ctrl+F, Ctrl+C, Enter (to
> find this GUID). When regedit finds the key, expand it, and under
> InProcServer32 you will see, on the right hand side, the "(Default)"
> key that will contain a file name such as
> C:\WINDOWS\SYSTEM32\askjhas.dll. WRITE IT DOWN AS WELL.
>
> 7. Get a XP installation CD ready.
>
> 8. THE FOLLOWING IS THE MOST IMPORTANT STEP.
>
> 9. SWITCH OFF THE COMPUTER FROM THE MAINS. DO *NOT* SHUT DOWN THE
> COMPUTER - SWITCH IT OFF FROM THE POWER PLUG. This is to prevent VX2
> renaming the DLL files, which it ALWAYS does. Do **NOT** use the Power
> Off button on your computer - plug off the CABLE that's in the wall
> socket.
>
> 10. Power on the computer, and immediately insert the XP installation
> CD. Make sure the computer boots from the CD. If the computer starts
> booting from the hard disk, SWITCH IT OFF FROM THE MAINS STRAIGHT AWAY
> and repeat the step 10 again. If you fail here, you'll have to start
> from the beginning.
>
> 11. Once XP setup starts, choose R (for Recovery console).
>
> 12. Choose 1 as the Windows installation.
>
> 13. Type in the administrator password for your computer.
>
> 14. Type in "CD WINDOWS\SYSTEM32" and press Enter
>
> 15. Type in "ren X1.DLL SHIT1.TXT". x1.dll is the name of the file you
> wrote down the first time.
>
> 16. Type in "ren X2.DLL SHIT2.TXT". x2.dll is the name of the file you
> wrote down the *second* time (step 6).
>
> 17. Type EXIT and reboot your computer normally.
>
> This worked beautifully for me.
>
> In conclusion, whoever wrote this VX2 spyware should be imprisoned for
> a very, very long time and his computer burned at stake.
18. Dump the toy operating system and get a real one that won't be plagued
by this malware.
--
A Microsoft Certified System Engineer is to information technology
as a McDonalds Certified Food Specialist is to the culinary arts.
.
- Follow-Ups:
- References:
- Prev by Date: Re: sound card
- Next by Date: Re: Winrar Question--Opening multiple files
- Previous by thread: Re: HOWTO: How to remove VX2 spyware (the latest and worst versions)
- Next by thread: Re: HOWTO: How to remove VX2 spyware (the latest and worst versions)
- Index(es):
